trpc-next-0.5.81.tgz: 11 vulnerabilities (highest severity is: 10.0) #141
Description
Vulnerable Library - trpc-next-0.5.81.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (trpc-next version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-55182 |  Critical |
10.0 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-67779 |  High |
7.5 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-55184 | High |
7.5 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2026-29057 |  Medium |
6.5 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-57822 | Medium |
6.5 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-57752 | Medium |
6.2 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-59472 | Medium |
5.9 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-59471 | Medium |
5.9 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2026-27980 | Medium |
5.3 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-55183 | Medium |
5.3 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-55173 | Medium |
4.3 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-55182
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.81.tgz (Root Library)
- next-11.14.1.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.14.1.tgz
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Publish Date: 2025-12-03
URL: CVE-2025-55182
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-fv66-9v8q-g76r
Release Date: 2025-12-03
Fix Resolution: next - 15.0.5,next - 15.4.8,next - 15.5.7,next - 15.1.9,next - 16.0.7,next - 15.2.6,next - 15.3.6,react-server-dom-turbopack - 19.1.2,https://github.com/facebook/react.git - v19.1.2,https://github.com/facebook/react.git - v19.0.1,https://github.com/facebook/react.git - v19.2.1,react-server-dom-turbopack - 19.2.1,react-server-dom-parcel - 19.1.2,react-server-dom-turbopack - 19.0.1,react-server-dom-webpack - 19.0.1,react-server-dom-webpack - 19.1.2,react-server-dom-webpack - 19.2.1,react-server-dom-parcel - 19.2.1
Step up your Open Source Security Game with Mend here
CVE-2025-67779
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.81.tgz (Root Library)
- next-11.14.1.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.14.1.tgz
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Publish Date: 2025-12-11
URL: CVE-2025-67779
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-12
Fix Resolution: next - 15.1.9,next - 15.2.6,next - 15.5.7,next - 15.3.6,react-server-dom-parcel - 19.2.3,next - 15.4.8,next - 15.0.5,next - 16.0.7,react-server-dom-turbopack - 19.2.3,react-server-dom-turbopack - 19.0.3,react-server-dom-turbopack - 19.1.4,react-server-dom-webpack - 19.0.3,react-server-dom-webpack - 19.2.3,react-server-dom-webpack - 19.1.4,react-server-dom-parcel - 19.1.4
Step up your Open Source Security Game with Mend here
CVE-2025-55184
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.81.tgz (Root Library)
- next-11.14.1.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.14.1.tgz
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Publish Date: 2025-12-11
URL: CVE-2025-55184
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-11
Fix Resolution: next - 15.3.6,react-server-dom-parcel - 19.2.3,next - 15.5.7,next - 15.1.9,next - 16.0.7,next - 15.0.5,next - 15.2.6,next - 15.4.8,react-server-dom-turbopack - 19.2.3,react-server-dom-turbopack - 19.1.4,react-server-dom-turbopack - 19.0.3,react-server-dom-webpack - 19.2.3,react-server-dom-webpack - 19.1.4,react-server-dom-webpack - 19.0.3,react-server-dom-parcel - 19.1.4
Step up your Open Source Security Game with Mend here
CVE-2026-29057
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.81.tgz (Root Library)
- next-11.14.1.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.14.1.tgz
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Summary When Next.js rewrites proxy traffic to an external backend, a crafted "DELETE"/"OPTIONS" request using "Transfer-Encoding: chunked" could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so "content-length: 0" is added only when both "content-length" and "transfer-encoding" are absent, and "transfer-encoding" is no longer removed in that code path. Workarounds If upgrade is not immediately possible: - Block chunked "DELETE"/"OPTIONS" requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our "security guidance" (https://nextjs.org/docs/app/guides/data-security).
Publish Date: 2026-03-18
URL: CVE-2026-29057
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-18
Fix Resolution: https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
Step up your Open Source Security Game with Mend here
CVE-2025-57822
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.81.tgz (Root Library)
- next-11.14.1.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.14.1.tgz
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js Middleware versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-08-29
URL: CVE-2025-57822
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-4342-x723-ch2f
Release Date: 2025-08-29
Fix Resolution: next - 14.2.32,next - 15.4.7,https://github.com/vercel/next.js.git - v14.2.32,https://github.com/vercel/next.js.git - v15.4.7
Step up your Open Source Security Game with Mend here
CVE-2025-57752
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.81.tgz (Root Library)
- next-11.14.1.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.14.1.tgz
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.
Publish Date: 2025-08-29
URL: CVE-2025-57752
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-g5qg-72qw-gw5v
Release Date: 2025-08-29
Fix Resolution: next - 15.4.5,next - 14.2.31
Step up your Open Source Security Game with Mend here
CVE-2025-59472
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.81.tgz (Root Library)
- next-11.14.1.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.14.1.tgz
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the "Next-Resume: 1" header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:
- Unbounded request body buffering: The server buffers the entire POST request body into memory using "Buffer.concat()" without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.
- Unbounded decompression (zipbomb): The resume data cache is decompressed using "inflateSync()" without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.
Both attack vectors result in a fatal V8 out-of-memory error ("FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory") causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.
To be affected you must have an application running with "experimental.ppr: true" or "cacheComponents: true" configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.
Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-01-26
URL: CVE-2025-59472
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-5f7q-jpqc-wp7h
Release Date: 2026-01-26
Fix Resolution: next - 15.4.2,next - 15.1.1,next - 16.1.5,next - 15.0.3,next - 15.0.2,next - 15.3.1,next - 15.0.0,next - 15.2.1,next - 15.3.0,next - 15.2.0,next - 15.0.1,next - 15.2.2,next - 15.4.0
Step up your Open Source Security Game with Mend here
CVE-2025-59471
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.81.tgz (Root Library)
- next-11.14.1.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.14.1.tgz
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
A denial of service vulnerability exists in self-hosted Next.js applications that have "remotePatterns" configured for the Image Optimizer. The image optimization endpoint ("/_next/image") loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that "remotePatterns" is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Publish Date: 2026-01-26
URL: CVE-2025-59471
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-9g9p-9gw9-jx7f
Release Date: 2026-01-26
Fix Resolution: next - 15.5.10,next - 16.1.5
Step up your Open Source Security Game with Mend here
CVE-2026-27980
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.81.tgz (Root Library)
- next-11.14.1.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.14.1.tgz
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache ("/_next/image") did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with "images.maximumDiskCacheSize", including eviction of least-recently-used entries when the limit is exceeded. Setting "maximumDiskCacheSize: 0" disables disk caching. If upgrading is not immediately possible, periodically clean ".next/cache/images" and/or reduce variant cardinality (e.g., tighten values for "images.localPatterns", "images.remotePatterns", and "images.qualities").
Publish Date: 2026-03-18
URL: CVE-2026-27980
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-18
Fix Resolution: https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
Step up your Open Source Security Game with Mend here
CVE-2025-55183
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.81.tgz (Root Library)
- next-11.14.1.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.14.1.tgz
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
Publish Date: 2025-12-11
URL: CVE-2025-55183
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-11
Fix Resolution: next - 15.5.7,next - 15.4.8,next - 16.0.7,next - 15.1.9,next - 15.2.6,next - 15.3.6,next - 15.0.5,react-server-dom-webpack - 19.1.4,react-server-dom-turbopack - 19.1.4,react-server-dom-webpack - 19.0.3,react-server-dom-webpack - 19.2.3,react-server-dom-parcel - 19.2.3,react-server-dom-turbopack - 19.2.3,react-server-dom-turbopack - 19.0.3,react-server-dom-parcel - 19.1.4
Step up your Open Source Security Game with Mend here
CVE-2025-55173
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.81.tgz (Root Library)
- next-11.14.1.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.14.1.tgz
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.
Publish Date: 2025-08-29
URL: CVE-2025-55173
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-xv57-4mr9-wg8v
Release Date: 2025-08-29
Fix Resolution: next - 14.2.31,next - 15.4.5
Step up your Open Source Security Game with Mend here